[Bug tools/33005] New: Dynamic Stack Buffer Overflow in eu-unstrip's new_shstrtab Function
https://sourceware.org/bugzilla/show_bug.cgi?id=33005 Bug ID: 33005 Summary: Dynamic Stack Buffer Overflow in eu-unstrip's new_shstrtab Function Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: tools Assignee: unassigned at sourceware dot org Reporter: xdcao.cs at gmail dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Summary Dynamic Stack Buffer Overflow in eu-unstrip's new_shstrtab Function Environment elfutils version: 0.192 OS: Ubuntu 22.04.5 LTS Steps to reproduce # export CFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" # export CXXFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" # ./configure --enable-maintainer-mode --disable-debuginfod # make -j64 & make install root@c6c01f72391e:# ./eu-unstrip -F POC/POC1 POC/POC2 = ==549005==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffd6ef87470 at pc 0x004dd808 bp 0x7ffd6ef87390 sp 0x7ffd6ef87388 WRITE of size 8 at 0x7ffd6ef87470 thread T0 #0 0x4dd807 in new_shstrtab /workspace/new-test/program/elfutils/src/unstrip.c:1380:50 #1 0x4d2183 in copy_elided_sections /workspace/new-test/program/elfutils/src/unstrip.c:1682:27 #2 0x4cfc2a in handle_file /workspace/new-test/program/elfutils/src/unstrip.c:2234:5 #3 0x4ce648 in handle_explicit_files /workspace/new-test/program/elfutils/src/unstrip.c:2331:3 #4 0x4ccf0e in main /workspace/new-test/program/elfutils/src/unstrip.c:2661:2 #5 0x7f11d46bdd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #6 0x7f11d46bde3f in __libc_start_main csu/../csu/libc-start.c:392:3 #7 0x420764 in _start (/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-unstrip/eu-unstrip+0x420764) Address 0x7ffd6ef87470 is located in stack of thread T0 SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow /workspace/new-test/program/elfutils/src/unstrip.c:1380:50 in new_shstrtab Shadow bytes around the buggy address: 0x10002dde8e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002dde8e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002dde8e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002dde8e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002dde8e70: 00 00 00 00 ca ca ca ca 00 00 00 00 00 00 00 00 =>0x10002dde8e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[cb]cb 0x10002dde8e90: cb cb cb cb f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8 0x10002dde8ea0: f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f3 f3 f3 f3 0x10002dde8eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002dde8ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10002dde8ed0: ca ca ca ca 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==549005==ABORTING POC https://drive.google.com/file/d/1PIomLS8od5Rd0w_ru5HGr84d501OM5oa/view?usp=sharing Credit Xiaoguo Li (CUPL) Xudong Cao (UCAS) -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/33006] New: Stack Buffer Overflow in eu-objdump's riscv_disasm Function
https://sourceware.org/bugzilla/show_bug.cgi?id=33006 Bug ID: 33006 Summary: Stack Buffer Overflow in eu-objdump's riscv_disasm Function Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: tools Assignee: unassigned at sourceware dot org Reporter: xdcao.cs at gmail dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Summary Stack Buffer Overflow in eu-objdump's riscv_disasm Function Environment elfutils version: 0.192 OS: Ubuntu 22.04.5 LTS Steps to reproduce # export CFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" # export CXXFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" # ./configure --enable-maintainer-mode --disable-debuginfod # make -j64 & make install root@c6c01f72391e:# ./eu-objdump -d POC_elfutils_eu-objdump_stack-buffer-overflow POC_elfutils_eu-objdump_stack-buffer-overflow: elf64-elf_riscv Disassembly of section .text: 0:48 8d0x8d48 2:a4 24fld fs1,72(s1) 4:68 ffsd a0,248(a4) = ==712103==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff25e11902 at pc 0x0043e841 bp 0x7fff25e11580 sp 0x7fff25e10d18 WRITE of size 5 at 0x7fff25e11902 thread T0 #0 0x43e840 in vsnprintf (/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-objdump/eu-objdump+0x43e840) #1 0x43fe66 in __snprintf_chk (/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-objdump/eu-objdump+0x43fe66) #2 0x548c93 in riscv_disasm /workspace/new-test/program/elfutils/libcpu/riscv_disasm.c:1308:12 #3 0x7fa5aed94923 in disasm_cb /workspace/new-test/program/elfutils/libasm/disasm_cb.c:178:10 #4 0x4cefc4 in show_disasm /workspace/new-test/program/elfutils/src/objdump.c:736:4 #5 0x4cdd3c in handle_elf /workspace/new-test/program/elfutils/src/objdump.c:783:14 #6 0x4cccee in process_file /workspace/new-test/program/elfutils/src/objdump.c:250:17 #7 0x4cc998 in main /workspace/new-test/program/elfutils/src/objdump.c:163:12 #8 0x7fa5ae74bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #9 0x7fa5ae74be3f in __libc_start_main csu/../csu/libc-start.c:392:3 #10 0x420734 in _start (/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-objdump/eu-objdump+0x420734) Address 0x7fff25e11902 is located in stack of thread T0 at offset 642 in frame #0 0x54813f in riscv_disasm /workspace/new-test/program/elfutils/libcpu/riscv_disasm.c:117 This frame has 6 object(s): [32, 544) 'initbuf' (line 121) [608, 640) 'mnebuf' (line 167) <== Memory access at offset 642 overflows this variable [672, 712) 'op' (line 168) [752, 784) 'immbuf' (line 169) [816, 848) 'addrbuf' (line 172) [880, 896) 'key' (line 1258) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-objdump/eu-objdump+0x43e840) in vsnprintf Shadow bytes around the buggy address: 0x100064bba2d0: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 0x100064bba2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100064bba2f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100064bba300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100064bba310: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 =>0x100064bba320:[f2]f2 f2 f2 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 0x100064bba330: 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 f8 f8 0x100064bba340: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x100064bba350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100064bba360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100064bba370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==712103==ABORTING POC https://drive.google.com/file/d/1YdviqwGYIv659lqkCrpGVA9QsfakD8_u/view?usp=sharing Credit Xiaoguo Li (CUPL) Xudong Cao (UCAS) -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/33004] New: Stack Buffer Underflow in eu-unstrip's sections_match Function
https://sourceware.org/bugzilla/show_bug.cgi?id=33004 Bug ID: 33004 Summary: Stack Buffer Underflow in eu-unstrip's sections_match Function Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: tools Assignee: unassigned at sourceware dot org Reporter: xdcao.cs at gmail dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Summary Stack Buffer Underflow in eu-unstrip's sections_match Function Environment elfutils version: 0.192 OS: Ubuntu 22.04.5 LTS Steps to reproduce # export CFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" # export CXXFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" # ./configure --enable-maintainer-mode --disable-debuginfod # make -j64 & make install root@c6c01f72391e:# ./eu-unstrip -F POC/POC1 POC/POC2 = ==250432==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffc029cac50 at pc 0x004da24a bp 0x7ffc029cabb0 sp 0x7ffc029caba8 READ of size 8 at 0x7ffc029cac50 thread T0 #0 0x4da249 in sections_match /workspace/new-test/program/elfutils/src/unstrip.c:1024:50 #1 0x4d11ab in copy_elided_sections /workspace/new-test/program/elfutils/src/unstrip.c:1544:12 #2 0x4cfc2a in handle_file /workspace/new-test/program/elfutils/src/unstrip.c:2234:5 #3 0x4ce648 in handle_explicit_files /workspace/new-test/program/elfutils/src/unstrip.c:2331:3 #4 0x4ccf0e in main /workspace/new-test/program/elfutils/src/unstrip.c:2661:2 #5 0x7f6ab22ebd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #6 0x7f6ab22ebe3f in __libc_start_main csu/../csu/libc-start.c:392:3 #7 0x420764 in _start (/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-unstrip/eu-unstrip+0x420764) Address 0x7ffc029cac50 is located in stack of thread T0 at offset 16 in frame #0 0x4d003f in copy_elided_sections /workspace/new-test/program/elfutils/src/unstrip.c:1429 This frame has 16 object(s): [32, 40) 'unstripped_shstrndx' (line 1430) <== Memory access at offset 16 underflows this variable [64, 72) 'stripped_shstrndx' (line 1434) [96, 104) 'unstripped_shnum' (line 1438) [128, 136) 'stripped_shnum' (line 1442) [160, 224) 'shdr_mem' (line 1509) [256, 320) 'shdr_mem551' (line 1701) [352, 376) 'sym_mem' (line 1785) [416, 420) 'shndx' (line 1786) [432, 496) 'shdr_mem993' (line 1852) [528, 592) 'mem' (line 1961) [624, 688) 'mem1280' (line 1988) [720, 744) 'sym1322' (line 2004) [784, 848) 'shdr_mem1499' (line 2104) [880, 944) 'ehdr_mem' (line 2134) [976, 984) 'phnum' (line 2152) [1008, 1064) 'phdr_mem' (line 2163) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-underflow /workspace/new-test/program/elfutils/src/unstrip.c:1024:50 in sections_match Shadow bytes around the buggy address: 0x10531530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10531540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10531550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10531560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10531570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10531580: ca ca ca ca cb cb cb cb f1 f1[f1]f1 00 f2 f2 f2 0x10531590: 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 0x105315a0: 00 00 00 00 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 0x105315b0: f2 f2 f2 f2 f8 f8 f8 f2 f2 f2 f2 f2 f8 f2 f8 f8 0x105315c0: f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 0x105315d0: f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==250432==ABORTING POC https://drive.google.com/file/d/1NA5t6yC5patQ3SkM-hXxzTugal9Wz4mj/view?usp=sharing Credit Xiaoguo Li (CUPL) Xudong Cao (UCAS) -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/33003] New: Bus Error Vulnerability in eu-strip due to Invalid Memory Write
https://sourceware.org/bugzilla/show_bug.cgi?id=33003 Bug ID: 33003 Summary: Bus Error Vulnerability in eu-strip due to Invalid Memory Write Product: elfutils Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: tools Assignee: unassigned at sourceware dot org Reporter: xdcao.cs at gmail dot com CC: elfutils-devel at sourceware dot org Target Milestone: --- Summary Bus Error Vulnerability in eu-strip due to Invalid Memory Write Environment elfutils version: 0.192 OS: Ubuntu 22.04.5 LTS Steps to reproduce # export CFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" # export CXXFLAGS="-g -O0 -fno-inline -fno-lto -fsanitize=address" # ./configure --enable-maintainer-mode --disable-debuginfod # make -j64 & make install root@c6c01f72391e:# ./eu-strip --output /var/tmp/stripped.out --reloc-debug-sections-only POC AddressSanitizer:DEADLYSIGNAL = ==3973325==ERROR: AddressSanitizer: BUS on unknown address (pc 0x7f923a6ca9fb bp 0x7fffe15f00f0 sp 0x7fffe15ef8a8 T0) ==3973325==The signal is caused by a WRITE memory access. ==3973325==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used. #0 0x7f923a6ca9fb string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:429 #1 0x49ac51 in __asan_memcpy (/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-strip/eu-strip+0x49ac51) #2 0x7f923ac20993 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10 #3 0x7f923ac20993 in __elf64_updatemmap /workspace/new-test/program/elfutils/libelf/./elf32_updatefile.c:451:3 #4 0x7f923ac0cfdb in write_file /workspace/new-test/program/elfutils/libelf/elf_update.c:123:7 #5 0x7f923ac0c73f in elf_update /workspace/new-test/program/elfutils/libelf/elf_update.c:231:9 #6 0x4d08b4 in handle_elf /workspace/new-test/program/elfutils/src/strip.c:2589:7 #7 0x4cd576 in process_file /workspace/new-test/program/elfutils/src/strip.c:807:16 #8 0x4ccddb in main /workspace/new-test/program/elfutils/src/strip.c:270:12 #9 0x7f923a62fd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #10 0x7f923a62fe3f in __libc_start_main csu/../csu/libc-start.c:392:3 #11 0x4208f4 in _start (/workspace/new-test/fuzzdir/fz-elfutils/fz-eu-strip/eu-strip+0x4208f4) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: BUS string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:429 ==3973325==ABORTING POC https://drive.google.com/file/d/1I7Ki0yKrITr_vOaMx4GQvrtLwfMVIOCJ/view?usp=sharing Credit Xiaoguo Li (CUPL) Xudong Cao (UCAS) -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/33004] Stack Buffer Underflow in eu-unstrip's sections_match Function
https://sourceware.org/bugzilla/show_bug.cgi?id=33004 --- Comment #3 from Xudong Cao --- (In reply to Mark Wielaard from comment #2) > Checked in the early exit patch so we don't produce an obscure error message > later. But there is no real bug here. Hi Mark, Thanks for the quick fix! I agree the files are malformed, but any out-of-bounds access caught by ASan is still considered a memory-safety defect from the security point of view. The early-exit patch solves that, so many thanks. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/33004] Stack Buffer Underflow in eu-unstrip's sections_match Function
https://sourceware.org/bugzilla/show_bug.cgi?id=33004 --- Comment #5 from Xudong Cao --- ASan rightly flags the cross-object pointer subtraction in sections_match()—disallowed under C11 §6.5.6—because its red-zone poisoning detects the out-of-object access even though the same UB silently passes in a non-instrumented build. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/33005] Dynamic Stack Buffer Overflow in eu-unstrip's new_shstrtab Function
https://sourceware.org/bugzilla/show_bug.cgi?id=33005 Xudong Cao changed: What|Removed |Added CC||xdcao.cs at gmail dot com --- Comment #2 from Xudong Cao --- Created attachment 16119 --> https://sourceware.org/bugzilla/attachment.cgi?id=16119&action=edit reproduce the issue on the latest main branch I can still successfully reproduce the issue on the latest main branch (commit ec21fbb47e48d954835fe6ced9eed555a3e73e9f) regardless of whether gcc or clang. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/33006] Stack Buffer Overflow in eu-objdump's riscv_disasm Function
https://sourceware.org/bugzilla/show_bug.cgi?id=33006 --- Comment #3 from Xudong Cao --- (In reply to Aaron Merey from comment #1) > I was not able to reproduce using the given instructions. I also tried > adding LDFLAGS="-fsanitize=address" and ASAN_OPTIONS=detect_leaks=0. > > > As stated in https://sourceware.org/bugzilla/show_bug.cgi?id=33003#c3 we do > not consider sanitizer errors on corrupt files alone to be real security > issues. I can still successfully reproduce the issue on the latest main branch (commit ec21fbb47e48d954835fe6ced9eed555a3e73e9f) regardless of whether gcc or clang. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/33006] Stack Buffer Overflow in eu-objdump's riscv_disasm Function
https://sourceware.org/bugzilla/show_bug.cgi?id=33006 Xudong Cao changed: What|Removed |Added CC||xdcao.cs at gmail dot com --- Comment #4 from Xudong Cao --- Created attachment 16120 --> https://sourceware.org/bugzilla/attachment.cgi?id=16120&action=edit reproduce the issue on the latest main branch (commit ec21fbb47e48d954835fe6ced9eed555a3e73e9f) I can still successfully reproduce the issue on the latest main branch (commit ec21fbb47e48d954835fe6ced9eed555a3e73e9f) regardless of whether gcc or clang. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/33006] Stack Buffer Overflow in eu-objdump's riscv_disasm Function
https://sourceware.org/bugzilla/show_bug.cgi?id=33006 Xudong Cao changed: What|Removed |Added Resolution|NOTABUG |--- Status|RESOLVED|UNCONFIRMED --- Comment #5 from Xudong Cao --- (In reply to Mark Wielaard from comment #2) > Note that you don't actually need asan to show this. This shows up with > _FORTIFY_SOURCE (which is on by default unless you explicitly override > CFLAGS) when processing an "illegal" instruction with the max possible > length. We provide a slightly too small stack buffer to snprintf. Which > would immediate terminate with _FORTIFY_SOURCE on such "illegal" > instructions. Without _FORTIFY_SOURCE we just use a few extra bytes on > the stack. There are some larger arrays in the stack which aren't used > afterwards, without any issue, even though it is technically UB. Thanks for the detailed explanation and clarification. -- You are receiving this mail because: You are on the CC list for the bug.
